The WD My Book Live NAS runs a full linux system which has not been updated by the manufacturer since 2015. Now the software has multiple unpatched vulnerabilities. Through the samba service, a root shell can be estblished.

What is the My Book Live?

“In 2011, Western Digital released the My Book Live Edition NAS. They range in storage capacity from 1 to 3 TB. My Book Live uses Applied Micro APM82181 processor working at 800 MHz and has 256 MB of RAM. Broadcom BCM54610 ethernet is able to support 10/100/1000 Mbit/s connectivity. Contrary to previous versions, Live has no USB ports. Instead of a Linux-Kernel & Busybox found in previous versions, Live uses a full-featured Debian GNU/Linux.” (Wikipedia)

Outdated firmware with vulnerabilities

Unfortunately, the manufacturer Western Digital released the last update of the firmware in the year 2015. In 2017, a vulnerability (CVE-2017-7494) in the SMB (Samba) was found. “Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” (cvedetails.com)

On the My Book Live, Samba 3.6.5 is installed and this service is vulnerable and can be exploited to gain full control over the device without knowing the usernames, passwords or anything but the IP address.

How to hack it

The process of exploiting CVE-2017-7494 is easy when done with Metasploit. Load the module exploit/linux/samba/is_known_pipename, set the correct options and run it. For some seconds there will be a root shell opened. Inside the root shell, a SSH-Server can be started and a root password set.

Start the SSH service in background:

/usr/sbin/sshd &

Set a password for current user:

passwd

Conclusion

The Samba (smb) service is only one of multiple programs running on the Linux system in the MyBook Live. I used OpenVAS to identify other potential vulnerabilities and there are plenty (dowload report). By using this device in your network, you not only risk losing you data. An attacker could use the MyBook Live as a permanent base in your network spying on you and perform other malicious activity.

New Firmware?

An alternative to throwing away your MyBook Live is to install an alternative firmware onto it. Check out OpenWrt:

https://openwrt.org/toh/wd/mybooklive

Further reading

Tags: